System

Note: SwOS uses a simple algorithm to ensure TCP/IP communication - it just replies to the same IP and MAC address packet came from. This way there is no need for Default Gateway on the device itself.

General Settings

Property

Description

Address Acquisition

Specify which address acquisition method to use:

DHCP with fallback - For first 10 seconds switch uses DHCP client. If request is unsuccessful, then address is set as a Static IP Address value

static - Address is set as a Static IP Address value

DHCP only - Switch uses DHCP client to acquire address

Static IP Address

IP address of the switch in case of Address Acquisition is set as DHCP with fallback or static

Identity

Name of the switch (for Mikrotik Neighbor Discovery protocol)

Allow From

IP address from which the switch is accessible. Default value is '0.0.0.0/0' - any address

Allow From Ports

List of switch ports from which it is accessible

Allow From VLAN

VLAN ID from which the switch is accessible (VLAN Mode on ingress port must be other than disabled in order to connect)

Watchdog

Enable or disable system Watchdog. It will reset CPU of the switch in case of fault condition

Independent VLAN Lookup

Enable or disable independent VLAN lookup in the Host table for packet forwarding

IGMP Snooping

Enable or disable IGMP Snooping

Mikrotik Discovery Protocol

Enable or disable Mikrotik Neighbor Discovery protocol

MAC Address

MAC address of the switch (Read-only)

Serial Number

Serial number of the switch (Read-only)

Board Name

MikroTik model name of the switch (Read-only)

Uptime

Current switch uptime (Read-only)

DHCP & PPPoE Snooping

DHCP & PPPoE snooping settings

Property

Description

Trusted Ports

Group of ports, which allows DHCP or PPPoE servers to provide a requested information. Mainly used to limit unauthorized servers to provide malicious information for users, access ports usually do not configure as trusted

Add Information Option

Enables or disables DHCP Option-82 information. When enabled, the Option-82 information (Agent Remote ID and Circuit ID) is added for DHCP packets received from untrusted ports. Can be used together with Option-82 capable DHCP server to assign IP addresses and implement policies

Password and Backup

System Management Settings

Link

Link Tab allows you to configure each interface settings and monitor link status

Link Settings

Property

Description

Enabled

Enable or disable port

Name

Editable port name

Link Status

Current link status (Read-only)

Auto Negotiation

Enable or disable auto negotiation

Speed

Specify speed setting of the port (requires auto negotiation to be disabled)

Full Duplex

Specify duplex mode of the port (requires auto negotiation to be disabled)

Flow control

Enable or disable 802.3x Flow control

PoE

Devices with PoE-out support have some configuration options and certain monitoring features, like PoE-out current, voltage, etc. For more detailed description, see Manual:PoE-Out.

PoE tab

SFP

SFP tab allows you to monitor status of SFP/SFP+ modules.

SFP Tab

Port Isolation

Port Isolation table allows or restricts traffic forwarding between specific ports. By default, all available switch chip ports can communicate with any other port, there is no isolation used. When the checkbox is enabled/ticked you allow to forward traffic from this port towards the ticked port. Below are some port isolation examples.

In some scenarios you might need to isolate a group of devices from other groups. In this example devices on Port1-Port5 are not able to communicate with Port6-Port10 devices, and vice versa.

In some scenarios you might need to forward all traffic to an uplink port while all other ports are isolated from each other. This kind of setup is called Private VLAN configuration. The switch will forward all Ethernet frames only to the uplink Port1, while uplink can reach all other ports

Individual isolated Port1 (e.g. for management purpose), it cannot send or receive traffic from any other port

Note: It is possible to check/uncheck multiple checkboxes by checking one of them and then dragging horizontally (Click & Drag).

Note: (R)STP will only work properly in Private VLAN setups. In setups with multiple isolated switch groups (R)STP might not properly receive BPDUs and therefore fail to detect network loops.

LAG

IEEE 802.3ad (LACP) compatible link aggregation is supported, as well as static link aggregation to ensure failover and load balancing based on Layer2 and Layer3 hashing.

Up to 16 link aggregation groups with up to 8 ports per a group are supported.

LAG Tab

Property

Description

Each individual port can be configured as Passive LACP, Active LACP or a Static LAG port.

disabled - VLAN table is not used. Switch discards packets with a VLAN tag on egress ports. If the packet has a VLAN tag and the VLAN ID matches Default VLAN ID on egress ports, then with VLAN Receive=any the switch will remove the VLAN tag and forward the packet.

optional - Disabled VLAN filtering. Handle packets with VLAN tag ID that is not present in VLAN table just like packets without VLAN tag.

enabled - Enabled VLAN filtering. Drop packets with VLAN tag ID that is not present in VLAN table. Default VLAN ID must be specified for access ports since it will be used to tag ingress traffic and untag egress traffic for the certain port.

strict - Enabled VLAN filtering with additional ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the VLAN table. Received packets on the ingress port with a VLAN ID that does not match with VLAN table will be dropped. Default VLAN ID must be specified for access ports since it will be used to tag ingress traffic and untag egress traffic for the certain port.

VLAN Receive (any | only tagged | only untagged; Default: optional)

Ingress traffic filtering based on VLAN tag presence.

any - Allows tagged and untagged packets on a certain port

only tagged - Allows only packets with a VLAN tag

only untagged - Allows only packets without a VLAN tag

Default VLAN ID (integer: 1..4095; Default: 1)

VLAN ID which will be assigned on ingress traffic. Only has effect on untagged traffic, it will be ignored for tagged traffic. This parameter is usually used to allocate access ports with specific VLAN. It is also used to untag egress traffic if packet's VLAN ID matches Default VLAN ID.

Force VLAN ID (integer: yes | no; Default: no)

Assigns the Default VLAN ID value to all ingress traffic (tagged and untagged). Has effect in all VLAN Modes. If port receives tagged traffic and Default VLAN ID is set to 1, then with this parameter the egress traffic will be untagged.

VLAN membership configuration for switch ports.

VLAN Table Settings

Property

Description

VLAN ID (integer: 1..4095; Default: 0)

VLAN ID to which assign ports.

Port Isolation (yes | no; Default: yes)

Use settings from Port Isolation menu to isolate the defined VLAN to only certain ports. When disabled, the switch will ignore port isolation configuration and forward traffic with the defined VLAN ID only to ports that are checked as members.

Learning (yes | no; Default: yes)

Enables or disables MAC address learning on the defined VLAN. If disabled, then all learned MAC addresses will appear as they have had been learned from VLAN 1.

Mirror (yes | no; Default: no)

Enables or disables VLAN based mirroring. When enabled and Mirror To is set in the Forwarding menu, then all traffic from the defined VLAN will be mirrored to the selected port.

IGMP Snooping (yes | no; Default: no)

Enables or disables IGMP Snooping on the defined VLAN. When enabled, the switch will listen to IGMP Join and Leave requests from the defined VLAN and only forward traffic to ports, which have sent IGMP membership requests from the defined VLAN. When disabled, the switch will flood all VLAN member ports with Multicast traffic.

Members (ports; Default: none)

Group of ports, which are allowed to forward traffic on the defined VLAN.

VLAN Configuration Example

Hosts

This table represents dynamically learnt MAC address to port mapping entries. It can contain two kinds of entries: dynamic and static. Dynamic entries get added automatically, this is also called a learning process: when switch receives a packet from certain port, it adds the packet's source MAC address and port it received the packet from to host table, so when a packet comes in with certain destination MAC address it knows to which port it should forward the packet. If the destination MAC address is not present in host table then it forwards the packet to all ports in the group. Dynamic entries take about 5 minutes to time out. CRS3xx devices supports 16383 host table entries.

Static entries will take over dynamic if dynamic entry with same mac-address already exists. Also by adding a static entry you get access to some more functionality.

Host Table

Property

Description

Ports

Ports the packet should be forwarded to

MAC

MAC address

VLAN ID

VLAN ID

Drop

Packet with certain MAC address coming from certain ports can be dropped

Mirror

Packet can be cloned and sent to mirror-target port

Property

Description

Port

Ports the packet should be forwarded to (Read-only)

MAC

Learned MAC address (Read-only)

VLAN ID

Learned VLAN ID (Read-only)

IGMP Snooping

IGMP Snooping which controls multicast streams and prevents multicast flooding is implemented in SwOS starting from version 2.5. The feature allows a switch to listen in the IGMP conversation between hosts and routers.

Enable this option under System tab.

IGMP Snooping under System tab

Available IGMP snooping data can be found under IGMP tab:

IGMP Snooping table

It is possible to enable IGMP Snooping for a specific VLAN ID under VLANs menu.

ACL Tab

An access control list (ACL) rule table is very powerful tool allowing wire speed packet filtering, forwarding and VLAN tagging based on L2,L3 protocol header field conditions. Each rule contains a conditions part and an action part.

Configuring SwOS using RouterOS

Since RouterOS 6.43 it is possible to load, save and reset SwOS configuration, as well as upgrade SwOS and set an IP address for the switch by using RouterOS.

Save configuration with /system swos save-config

Note: Configuration will be saved on the same device with swos.config as filename, make sure you download the file off your device since the configuration file will be removed after a reboot.

Load configuration with /system swos load-config

Reset configuration with /system swos reset-config

Set static IP address with /system swos set-address

Note: By setting a static IP address you are not changing the IP address acquisition process, which is DHCP with fallback by default. This means that the configured static IP address will become active only when there is going to be no DHCP servers in the same broadcast domain.

Upgrade SwOS from RouterOS using /system swos upgrade

Note: The upgrade command will automatically install the latest available SwOS version, make sure that your device has access to the Internet in order for the upgrade process to work properly.